Splunk Search

Single slash as part of REGEX

jclemons7
Path Finder

Hello all,

I have the following query which gives me the required results, but I can't get the regex command to INCLUDE the single slash in front of the file.exe. I want to do this to prevent the query from counting testfile.exe and such.. any help is greatly appreciated.

ComputerName=* [search earliest=-2h latest=now() ProductType="1" | table ComputerName]

| regex CommandLine=(?i)"(testvalue1|testvalue2|\\file.exe)"

| eval testvalue1_count=if(match(lower(CommandLine),"testvalue1"),1,0)
| eval testvalue2_count=if(match(lower(CommandLine),"testvalue2"),1,0)

| eval file_count=if(match(lower(CommandLine),"\\file.exe"),1,0)

| stats sum(testvalue1_count) AS TV1 sum(testvalue2_count) AS TV2 sum(file_count) AS FC BY ComputerName
0 Karma
1 Solution

somesoni2
Revered Legend

You're almost there, just add another slash in the regex.

 | regex CommandLine=(?i)"(testvalue1|testvalue2|\\\file.exe)"

View solution in original post

somesoni2
Revered Legend

You're almost there, just add another slash in the regex.

 | regex CommandLine=(?i)"(testvalue1|testvalue2|\\\file.exe)"

jclemons7
Path Finder

three slashes matches one?

0 Karma

jclemons7
Path Finder

or three slashes matches two?

0 Karma

somesoni2
Revered Legend

First 2 slashes will give a single slash to escape the third one. End result a single slash.

0 Karma
Get Updates on the Splunk Community!

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...